OraFAQ Forum: Security » Using sticky bit on Oracle directory & umask

Home » RDBMS Server » Security » Using sticky bit on Oracle directory & umask

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

Using sticky bit on Oracle directory & umask [message #165161]

Tue, 28 March 2006 10:55

sikyala
Messages: 33
Registered: May 2005

Member

I am in the process of applying STIG recommendations for Solaris to a database server. One of the recommendations is to apply a "sticky bit". From what I understand When the so-called "sticky bit" is set on a directory, then only the owner of a file may remove that file from the directory (as opposed to the usual behavior where anybody with write access to that directory may remove the file). Setting the sticky bit prevents users from overwriting each other's files, whether accidentally or maliciously, and is generally appropriate for most world-writable directories.

I would prefer not to use the "sticky bit" to avoid possibly breaking any application dependencies on a given directory. I also must consider how effective this would be because umask is being used.

I think the real problem is that the "/var/tmp/.oracle" directory on the server has the wrong permissions. What can be done to prevent this temporary file from being created with the wrong permissions every time the database is restarted?

Report message to a moderator

Re: Using sticky bit on Oracle directory & umask [message #165670 is a reply to message #165161]

Fri, 31 March 2006 06:17

Frank Naude
Messages: 4587
Registered: April 1998

Senior Member

The /tmp and /var/tmp directories should have the sticky bit set. If not, ask your system administrator to set them. Setting the sticky bit will not break anything. It will just prevent people from deleting stuff that they don't own.

$ ls -ld /tmp /var/tmp
drwxrwxrwt  17 bin      bin           16384 Mar 31 14:00 /tmp
drwxrwxrwt   2 bin      bin            4096 Mar 31 14:00 /var/tmp

For example, Oracle creates sockets in /var/tmp/ (or /tmp) that is world readable and writeable. This is not controlled by oracle's UMASK. You definitely don't want to allow any user from deleting them!

$ ls -ltr /tmp/.oracle
total 0
srwxrwxrwx   1 oracle   dba               0 Nov 06 21:45 s#1663178.1
srwxrwxrwx   1 oracle   dba               0 Nov 20 10:54 sOracle_CSS_LclLstnr_localhost_0
srwxrwxrwx   1 oracle   dba               0 Nov 20 14:37 s#1437882.1
srwxrwxrwx   1 oracle   dba               0 Nov 20 14:43 s#954602.1

Report message to a moderator

Re: Using sticky bit on Oracle directory & umask [message #165696 is a reply to message #165670]

Fri, 31 March 2006 10:54

sikyala
Messages: 33
Registered: May 2005

Member

Thanks!

Report message to a moderator

Previous Topic:	execute any privilege
Next Topic:	forget my sys password

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Jan 18 03:07:22 CST 2025